Criminal Justice Information Services (CJIS)

Law enforcement agencies trust their criminal justice information to Athreon.

CJIS Overview

The Criminal Justice Information Services Division (CJIS) is the FBI segment that mandates parameters for access to Criminal Justice Information (CJI). The CJIS Security Policy outlines standards for protecting the sources, transmission, storage, and creation of CJI. It establishes best practices to ensure timely, secure, and reliable access to CJI for agencies that prevent and mitigate crime. So, CJIS is a significant concern for law enforcement agencies looking to use a transcription company.

The fundamental objective of CJIS is to keep CJI secure and private so that it isn’t tampered with, and it can be relied upon when submitted to a court of law. This is why law enforcement agencies must work with a transcription company like Athreon that understands the complexities of CJIS. CJI can take many forms including, fingerprint data, criminal background information, arrest reports, sentencing reports, parole reports, and body-worn camera footage.

CJIS Security Policy

If any CJI were to be compromised and fall into the wrong hands, it could be detrimental to law enforcement and the community. For this reason, Athreon has developed its transcription service with a strong focus on supporting the CJIS Security Policy.

The CJIS Security Policy outlines 13 areas aimed at preventing unauthorized access to CJI while maintaining its integrity. These policy areas include:

Entities need to sign formal documents that outline how they are permitted to handle CJI.

Staff with access to CJI must undergo security training within six months of hire and biannually after that.

Protocols must help detect, mitigate, and recover from threats. Entities must report security incidents to the Justice Department.

Entities need to document items like login attempts, attempts to change passwords and destroy logs files, and more.

Entities need to limit access to CJI based on job function. Likewise, restrictions on data management are necessary too.

Unique login credentials to access CJI and advanced authentication methods like multifactor authentication are required.

Entities need to ensure that only authorized system users can make changes like system updates.

Measures to protect physical and digital CJI are required while in transit and at rest. Entities need to destroy CJI on retired equipment.

Unauthorized individuals should not have access to CJI in any place where it is stored.

Applications and information systems need to ensure data security as well as system and network integrity. Encryption, breach detection, and network security are all critical considerations.

The FBI or other agencies may launch audits to ensure CJIS compliance. Entities are subject to audits every three years at a minimum.

Everyone with access to CJI (employees, contractors, and subcontractors) is subject to background checks, including fingerprinting.

Entities need to establish usage restrictions to authorize, monitor, and control access to CJI on smartphones and tablets.

Who Needs to Comply With CJIS?

Anyone with access to CJI must comply with CJIS. Federal, state, county, municipal, and other agencies need to comply. Any agency with an FBI number must comply with CJIS. Likewise, vendors that support law enforcement agencies must comply with CJIS. Vendors could include a cloud service provider, a transcription company, a data backup vendor, a private security firm, and a background check company.

How Athreon’s Transcription Service Protects CJI

We only use the CJI entrusted to us to deliver our contracted solutions. We have implemented robust administrative, technical, and physical controls to protect CJI, including advanced encryption. Additionally, we restrict the processing and handling of CJI to transcription company staff located in the United States. Our workforce members are required to undergo background checks and fingerprinting.

CJIS Security Addendum

The CJIS Security Rule explains that law enforcement agencies should have their vendors with access to CJI sign the CJIS Security Addendum. By signing the CJIS Security Addendum, a vendor accepts their responsibility to project criminal justice information. Athreon will sign the CJIS Security Addendum to attest to its commitment to comply with the CJIS requirements.

Security Risk Assessments

Athreon performs a Security Risk Assessment annually. The Risk Assessment helps our transcription company evaluate the effectiveness of our CJIS protocols. Additionally, our Risk Assessments help us identify threats to CJI that require our attention. In some cases, we conduct Security Risk Assessments more regularly when we introduce new technology or processes or make a significant change to our existing transcription service technology or processes.

CJIS Security Awareness Training

Because we take securing criminal justice information seriously in our transcription business, we provide Security Awareness Training to our staff members with access to CJI. New hires that management authorizes to have access to CJI participate in a comprehensive CJIS training course, which they renew no less than every two years. In between annual training courses, employees participate in weekly cybersecurity training lessons so that security awareness remains top of mind. We understand that CJIS training varies by state and by agency. We are willing to participate in CJIS training specific to individual law enforcement agencies.

CJIS Compliance – A Shared Responsibility

Although we have implemented strong controls to ensure CJIS compliance in our transcription company, data privacy is a responsibility we share with our law enforcement clients. Clients are responsible for granting appropriate CJI access to Athreon and their end-users. Clients are also responsible for configuring our speech to text solutions to adhere to the CJIS regulations and any other security policies their organization may require.

CJIS Security Incidents

If we were to have a data breach, we would alert the impacted agencies about the security incident without undue delay. We would relay specific details about the security violation and provide a breach risk assessment document and a security incident report.

We encourage clients, vendors, employees, or anyone else with concerns about Athreon’s CJIS compliance to contact Anyone may report a concern without fear of reprisal. A compliance officer will address reported concerns and take the action necessary to remediate the matter.